InvenTree 1.2.6 contains fixes for new security advisories
Updating to 1.2.6 is strongly advised. See GHSA-rhc5-7c3r-c769 and GHSA-m8j2-vfmq-p6qg for details.
Every admin should be aware of the assumed trust in our threat model. If you followed it you are not vulnerable see https://docs.inventree.org/en/latest/concepts/threat_model/
many thanks to patelhettt (x2) and alonaki for their research and responsible disclosure
Alerta: ataque de cadena de suministro comprometió etiquetas de Trivy (trivy-action/setup-trivy); malware exfiltra tokens y claves desde CI/CD. Asume pipelines comprometidos y rota credenciales ya. https://aidoo.news/noticia/rgRJYx
#SupplyChain #GitHubActions #CICD #Kubernetes #OpenSourceSecurity
Alerta: ataque de cadena de suministro comprometió etiquetas de Trivy (trivy-action/setup-trivy); malware exfiltra tokens y claves desde CI/CD. Asume pipelines comprometidos y rota credenciales ya. https://aidoo.news/noticia/rgRJYx
#SupplyChain #GitHubActions #CICD #Kubernetes #OpenSourceSecurity
Airlock v0.3.0: command modules are now opt-in.
Airlock already shipped hardened deny rules per tool and scoped each container via profiles. Now there's a third layer: no command loads unless the operator enables it.
SSH is worth calling out. It's remote code execution with real keys. If you enable it, 13 deny rules lock it to single-hop, one-off commands. No tunneling, no forwarding, no credential passthrough.
Credential isolation for CLI tools in Docker containers. Proxies git, aws, terraform, and other commands that need SSH keys, cloud configs, or local credentials — without mounting secrets into the ...
I had a chat on #OpenSourceSecurity with Luke Hinds about his project nono as well as MCP security
nono is a sandbox for containing all these tools, which is an incredibly difficult problem to solve. The things we see skills and MCP doing are moving forward faster than anyone can keep up
Luke has great insight into what's going on and what's wrong with what's going on
Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke’s new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We explain what MCP and agents are doing as well as why it’s so hard to secure them. It’s not impossible, but it’s not simple either. We end the show by discussing some of the more human aspects to security and how history may be repeating itself with security folks laughing at new users who don’t know any better.
This week on #OpenSourceSecurity I had a chat with Paul Kehrer and Alex Gaynor about the statement they published discussing the challenges posed by modern OpenSSL for the python cryptography module
It was a super fun discussion, I learned a ton, and it highlights the open source question about what happens when one of your dependencies isn't a great fit anymore
https://opensourcesecurity.io/2026/2026-03-cryptography-alex-paul/
Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenges posed by modern OpenSSL. We discuss the statement and their relationship with OpenSSL. We chat about some of the current features in cryptography, as well as some of what’s coming in the future. It’s a fun conversation that hits on a lot of great points. Episode Links Alex Paul pyca/cryptography The State of OpenSSL for pyca/cryptography x509-limbo Community Cryptography Specification Project This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
InvenTree
Aidoo
Aidoo
Caleb Faruki
Grype
Syft
Josh Bressers